Scripted inputs
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Scripted inputs
By configuring inputs.conf, Splunk can also accept events from scripts. Scripted input is useful for command-line tools, such as vmstat, iostat, netstat, top, etc.
Note: Currently, scripted inputs do not get bundled in the deployment server. In the future, Splunk will support this behavior. For now, use your preferred configuration automation tool to push your script directory to your server classes.
Configuration
- Create a new directory under
$SPLUNK_HOME/etc/bundles/.- For example, make a directory called
scripts/. - This is the location of your scripts bundle directory.
- For example, make a directory called
- In your new
scripts/directory, create a directorybin/to contain the actual script.
Note: Your script must be in the bin/ directory underneath your scripts/ directory.
- Add the following lines to
$SPLUNK_HOME/etc/bundles/scripts/inputs.conffile:
[script://$SCRIPT]
interval = X
index = {main, $YOUR_INDEX}
sourcetype = {iostat, vmstat, etc} OPTIONAL
source = {iostat, vmstat, etc} OPTIONAL
disabled = false
Variables
-
scriptis the fully-qualified path to the location of the script -
intervalis in seconds- for constant data streams, enter 0
- for one-shot data streams, enter -1
- Note: this will re-run each time the splunk daemon restarts
-
indexcan be any index in your Splunk instance -
disabledis a boolean value that can be set to true if you want to disable the input -
sourcetypeandsourcecan be any value you'd like. Optional.
Example
This example shows the use of the UNIX top command as a data input source.
- Start by creating a new bundle directory. We will use
scripts/:
$ mkdir $SPLUNK_HOME/etc/bundles/scripts
- All scripts should be run out of a
bin/directory inside your bundle directory: -
$ mkdir $SPLUNK_HOME/etc/bundles/scripts/bin - This example uses a small shell script
top.sh:
$ #!/bin/sh top -bn 1 # linux only - different OSes have different paramaters
- Make sure the script is executable:
chmod +x $SPLUNK_HOME/etc/bundles/scripts/bin/top.sh
- Test that the script works by running it via the shell:
$SPLUNK_HOME/etc/bundles/scripts/bin/top.sh
- The script should have sent one
topoutput. - Add the script entry to
inputs.confin {{$SPLUNK_HOME/etc/bundles/scripts}:
[script:///opt/splunk/etc/bundles/scripts/bin/top.sh] interval = 5 # run every 5 seconds sourcetype = top # set sourcetype to top source = script://./bin/top.sh # set source to name of script
Note:
- You must restart your Splunk server for these changes to take effect.
- You may need to modify props.conf:
- By default Splunk breaks the single
topentry into multiple events. - The easiest way to fix this problem is to tell the Splunk server to break only before something that does not exist in the output.
- For example, adding the following to
$SPLUNK_HOME/etc/bundles/scripts/props.confforces all lines into a single event:
- By default Splunk breaks the single
[top] BREAK_ONLY_BEFORE = GobblyGook
- Since there is no timestamp in the top output we need to tell Splunk to use the current time. This is done in
props.confby setting:
DATETIME_CONFIG = CURRENT
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.